CVE-2020-9463
Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.
Source: CVE-2020-9463
[월:] 2020년 02월
CVE-2020-5247
CVE-2020-5247
In Puma (RubyGem) before 4.3.2 and 3.12.2, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Source: CVE-2020-5247
CVE-2020-9447
CVE-2020-9447
The file-upload feature in GwtUpload 1.0.3 allows XSS via a crafted filename.
Source: CVE-2020-9447
CVE-2019-10064
CVE-2019-10064
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
Source: CVE-2019-10064
CVE-2020-9399
CVE-2020-9399
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
Source: CVE-2020-9399
CVE-2020-9442
CVE-2020-9442
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%OpenVPN Connectdriverstapamd64win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
Source: CVE-2020-9442
CVE-2019-8741
CVE-2019-8741
A denial of service issue was addressed with improved input validation.
Source: CVE-2019-8741
CVE-2019-3698
CVE-2019-3698
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux Enterprise Server 12 nagios version 3.5.1-5.27 and prior versions. SUSE Linux Enterprise Server 11 nagios version 3.0.6-1.25.36.3.1 and prior versions. openSUSE Factory nagios version 4.4.5-2.1 and prior versions.
Source: CVE-2019-3698
CVE-2020-9434
CVE-2020-9434
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
Source: CVE-2020-9434
CVE-2020-9433
CVE-2020-9433
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
Source: CVE-2020-9433